DOD warns against the dark side of social networking

In an earlier era, “loose lips sink ships” was the military’s warning not to let even small details about military movements and operations slip in casual conversation. In contrast, social media Web sites today thrive on loose lips, making it even tougher to maintain operational security.

The problem is not so much people twittering away secrets as letting slip many smaller pieces of information that an adversary can piece together.

“There’s a tendency to think that if information is not classified, it’s OK to share,” said Jack Kiesler, chief of cyber counter intelligence at the Defense Intelligence Agency, in a presentation last month in Orlando, Fla., at the DODIIS Worldwide Conference for intelligence information systems professionals.

What readers are saying:

"We live in an open society where the exchange of unclassified information and information that is suppose to be in the public domain is our competitive advantage to spur new ideas and innovation."

Operational security refers to the process of denying information to potential adversaries about capabilities or intentions of individuals or organizations by identifying and protecting generally unclassified information on the planning and execution of sensitive activities.

An adversary trying to uncover secrets will start by chipping away at operational security indicators that point them toward a target, Kiesler said. A foreign agent seeking to steal stealth technology might start by trying to identify individuals who are working on the technology, figuring out whom they associate with, following their movements, looking for clues on new research areas and so on.

Much of that information might be available through a professional profile on LinkedIn, for example. Furthermore, participation in online discussion groups or blogs might help foreign intelligence services single out disgruntled military or intelligence agency employees who could be recruited or blackmailed, Kiesler said. Not only are younger employees immersed in the social media culture, but older ones often become participants without understanding their limited control over the information they post online, he added.

Although operational security is supposed to be a standard component of military operations, Kiesler seeks to pursue it in a more disciplined way, with proactive tests of an organization’s operational security. Rather than embarrassing the organizations and individuals who flunk the test, the goal is to educate them, he said.

Jensen presented a fictional scenario that he said was based on those kinds of tests, in which a foreign agent named Jane starts by exploring the membership of a LinkedIn group called Intelligence Professionals.

In Jensen’s scenario, LinkedIn provides a target DIA employee’s basic résumé with a link to his blog. The blog, in turn, has links to other social media sites the person participates in, so the adversary can browse Flickr photos and Twitter messages, continuing to round out the picture. The DIA employee uses the same handle on many Web sites, allowing Jane to search for posts he has made elsewhere. On Slashdot, he mentions something about the Starbucks near his house.

That allows Jane to bump into her target at Starbucks, hack the wireless session he initiates from his iPhone and eventually capture information, including his online banking password. From there, she has many options to monitor his every move, drain his bank account or blackmail him.

Of course, the pull of the online world is not so easily countered. There really is an Intelligence Professionals group on LinkedIn, and Kiesler and Jensen found 163 LinkedIn members who listed DIA as their current employer, including at least one information security analyst based in Washington, D.C.

But Kiesler and Jensen said people can learn to be more circumspect and take precautions such as varying their online signatures rather than using the same user name on multiple Web sites.

inside gcn

Reader Comments

Sat, Jul 25, 2009

Information posted on social networking sites may be used against the person who posted the information, against any person or organizations mentioned, and against our nation in general. These sites are easily accessible by anyone in the world, including your friends and our enemies.

Mon, Jul 13, 2009

Sat, Jul 11, 2009
confidential
near Chicago

As nice n' glitzy as they might *seem* resources such as Facebook, Myspace or the like are a danger not only to privacy but also to operational security of companies, government institutions, families or the like. Personal or private lives ought to be kept private. Being stupid because its popular and really, really cool is *still* being stupid. I meet many people WITHOUT Facebook. Its even sad to think that folks even need resources like Facebook to socialize--what does it say about the social ineptitude of relying on something so fleeting and lame for meeting people rather than improving your live social skills so you just throw all of your eggs into a search engine-shallow much? I know of folks that work in lines of work whose lives could seriously be compromised by a photo appearing on Facebook--consider folks under witness protection. Why not just socialize FACE TO FACE rather than online? Is there really anything OTHER than a kind of vanity, deep narcissism or an addiction to gossip and drama that drives these sites? I mean why does a famer in Cambodia really need to know who your friends are or who you had sex with last night or where you went to school or what your boyfriend looks like--WHO REALLY GIVES A CRAP? What will eventually happen is that companies like Facebook will get sued castrophically over losses or injuries and that will cause them to change their models. HINT: there should be a facility on all those kinds of websites to demand that photos or information be removed. Get real lives people.

Fri, Jul 10, 2009
Mike
DC

It's not all public data, nor should it be.
Obama released a very sensitive document with information on all the US nuke site locations/missions and then was forced to retract it the next day. This was no accident. This is what happens when amateurs and saboteurs are in office.
Groups like the ACLU regularly seek to make classified data unclassified and undermine our own security through legal means.
Our competitive advantage is that we follow a rule of law and offer the best opportunities to the most people in as free and equal a society as has ever existed on this planet...not that we share all of our secrets with those who want to destroy this country (and they exist both within and outside the country).
Some documents can't even be found because they are in Sandy Berger's pants...others just disappear (Clinton).

Mon, Jul 6, 2009
BaltFed
Baltimore, MD

This whole article is about the difference between Classified and Sensitive information.

About 25 years ago I went to a course on Telecommunications Protection, in which they explained the difference between Classified and Sensitive information. Sensitive is information that is not National Security-related, but still has the potential to be used to an enemy's advantage. The example given in the class was that during World War II, an Allied spy in Japan supplied information that Japan had not made a large number of heavy woolen uniforms that summer. "So what!" you might ask, "It's not important like information about troop movements." True, but the Allies inferred from this information that the Japanese did not intend to launch a cold-weather attack that year, which let the Soviets move much-needed troops from Manchuria to their Western Front to defend against the German invasion.

A more modern example would be the idiot Congressman that came out of a Defense briefing during the initial action in Afghanistan and disclosed to the world that the US was tracking Osama bin Laden by his Satellite phone. So what happened? Bin Laden went in one direction, and his driver went in the other with bin Laden's SatPhone, and we lost him.